Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking 239.255.255.250

    Scheduled Pinned Locked Moved pfBlockerNG
    10 Posts 6 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justsomeguy6575
      last edited by

      Why would I be seeing this? I know what 239.255.255.250 is but don't understand why pfBlocker is blocking it. Shows it doesn't even match a list. I am have upgraded to pfSense 2.4 and it may have started right at that time but I can't say that 100% for sure.
      pfblocker.PNG
      pfblocker.PNG_thumb
      ![pfBlocker IPv4Malware.PNG](/public/imported_attachments/1/pfBlocker IPv4Malware.PNG)
      ![pfBlocker IPv4Malware.PNG_thumb](/public/imported_attachments/1/pfBlocker IPv4Malware.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        "no match" is showed when pfBlockerNG doesn't find the IP in any table.

        That can happens after a Force/Cron update ran and the IP is no longer present in the table.

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • J
          justsomeguy6575
          last edited by

          How would I go about clearing that? It's been happening for a couple weeks now actually. I've forced update/reload and the firewall has been rebooted. I have also uninstalled/reinstalled pfBlocker with "Keep Settings" unchecked.

          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by

            As long as it is in present FW Alerts, it will display in the pfBlockerNG Alerts tab

            If the block are still occurring, then you have to figure out which table cause the block
            Either look at the tables with the pfBlockerNG Logs tab

            or use a command prompt

            grep "^239." /var/db/pfblockerng/deny/*

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              By any chance are you using the "ThreatCrowd" feed?  I have seen too many FPs with that list…

              https://www.threatcrowd.org/feeds/ips.txt
              

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • W
                worthmining
                last edited by

                @RonpfS:

                As long as it is in present FW Alerts, it will display in the pfBlockerNG Alerts tab

                If the block are still occurring, then you have to figure out which table cause the block
                Either look at the tables with the pfBlockerNG Logs tab

                or use a command prompt

                grep "^239." /var/db/pfblockerng/deny/*

                I did this and return nothing yet the 239.255.255.250 still showing up on the pfblocker with "no match".  Any idea where it is from?

                1 Reply Last reply Reply Quote 0
                • mtarboxM
                  mtarbox
                  last edited by

                  It is SSDP. 239.255.255.250:1900 UDP
                  I created a LAN rule to drop and not log those packets and it cleared up the alerts.

                  ![Screenshot (13).png](/public/imported_attachments/1/Screenshot (13).png)
                  ![Screenshot (13).png_thumb](/public/imported_attachments/1/Screenshot (13).png_thumb)

                  Si vis pacem, para pactum.

                  1 Reply Last reply Reply Quote 0
                  • mtarboxM
                    mtarbox
                    last edited by

                    I should also note that the SSDP traffic was coming only from my DirecTV boxes, and it was really annoying.
                    So I also created WAN rules for each specific address to block and not log.
                    Granted, I am very new to PFSense and pfBlockerNG, and these folks have been AWESOME to help me figure stuff out, and what I have done might not necessarily work in your case.

                    ![Screenshot (14).png](/public/imported_attachments/1/Screenshot (14).png)
                    ![Screenshot (14).png_thumb](/public/imported_attachments/1/Screenshot (14).png_thumb)

                    Si vis pacem, para pactum.

                    1 Reply Last reply Reply Quote 0
                    • V
                      vito
                      last edited by

                      @BBcan177:

                      By any chance are you using the "ThreatCrowd" feed?  I have seen too many FPs with that list…

                      https://www.threatcrowd.org/feeds/ips.txt
                      

                      I am seeing more of these and yes it is from the threatcrowd list from what i can see on my system.

                      However, i did add to suppression and it is still showing. :(

                      And yes, i am seeing allot of possible FP from that list also.

                      Thx!

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        I have had poor results with that Feed… I'd disable due to the FPs in the feed...

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.